replacing one dependency in the chain
I'm trying to use a gem called "foo". However, "foo" depends on
a gem called "bar", which has a bug. So I uninstalled "bar", forked
it on github and fixed the bug, then pushed "ghazel-bar" to
gemcutter. Now I can install "ghazel-bar" and it works great.
However, when I try to use "foo", it says:
Gem::LoadError: Could not find RubyGem bar (>= 0.1.0)
How do I tell "foo" that "ghazel-bar" satisfies that requirement? Do I have to maintain a fork of every gem which depends on "bar" and rewrite it to use "ghazel-bar" instead? That could become quite time-consuming, and is a bunch of changes which would never be accepted upstream and should be ditched as soon as the "bar" maintainer accepts my pull request (if ever!)
Thoughts?
Comments are currently closed for this discussion. You can start a new one.
Support Staff 2 Posted by Eric Hodel on 28 Jan, 2010 11:33 PM
This is a hard problem to solve, if dependency substitution is allowed there's no way to protect against accidentally using malicious code. A malicious author could upload a library that satisfies or even overrides the dependency.
We've discussed this numerous times on the RubyGems mailing list, but have yet to come up with a good solution that solves this problem that we can implement. You're welcome to discuss this further on the mailing list if you have an ideas.
Eric Hodel closed this discussion on 28 Jan, 2010 11:33 PM.